45 Million User Records Leaked Online in Recent VerticalScope Breach
“If you are a user of one of our communities, you will receive an email shortly to change your password.”
Forty five million records from over 1100 websites and online communities are said to have been siphoned out of known website aggregator VerticalScope.com, reports say on Wednesday. According to paid hack search engine, Leakedsource, troves of breached data have been discovered in February 2016, containing mostly of information like email addresses, usernames, IP addresses, and passwords. In some instances, some of the uncovered records also contain a second password. Leakedsource shared that the breach was confirmed by VerticalScope in April following a correspondence with reporter Zack Whittaker.
In a security update, the Toronto, Canada-based multi-platform media company notes, “In response to increased Internet awareness of security-related incidents, including potential incidents on our communities, as a precautionary security measure, we are implementing changes to strengthen our password policies and practices across all of our communities.” This includes requiring users of resetting their passwords prior to logging in on their community accounts, mandating the use of stronger passwords and periodic password expiration, and working together with third party specialists to further dig in on the breach that took place.
Interestingly, in an entry, LeakedSource notes that among the most common passwords unearthed in the data set are 123456, password, 111111, and qwerty—hence, the call for stricter password management among community members.
VerticalScope takes pride in its “deep in-house expertise in search engine optimization (SEO), internet marketing, and traffic acquisition to build highly targeted successful online communities and websites”. Through the years, it has built a strong portfolio of over 600 webpages with over 25 million aggregate pages of content that attract more than 84 million unique visitors monthly. The company has acquired and developed an array of websites that cater largely to sports, automotive, and outdoor activities. To date, VerticalScope has over 38 million registered members.
In its post, Leakedsource says, “Given the massive scale of this breach, it is also likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale.”
The Cost of Data Breaches
The news of the breach broke out not long after a slew of social networking sites were reported to have become victims of year-old data breaches that have just been discovered and disclosed recently. At the onset of June, the Federal Bureau of Investigations (FBI) has issued a public service announcement aimed at warning the public of an onslaught of extortion schemes that came after known social sites have been breached. The scammers are leveraging the emergence of data dumped in the underground from LinkedIn, Tumblr, Fling, and even Myspace, sold at varying prices.
In Trend Micro’s research paper, Follow the Data: Dissecting Data Breaches and Debunking Myths, researchers highlight that the value of knowing the trail of data after it was stolen from the enterprise is as significant as determining who was affected by the breach and how they can recover.
Perpetrators behind every successful breach treat the database of its target as a goldmine as the amount of data that these databases house could easily translate to profit or could be used essentially as an ingredient in staging another attack.
In the recently disclosed data dump of stolen account information of LinkedIn members, a hacker with the moniker peace_of_mind, or more commonly known as Peace, sold 117 million records containing both emails and passwords at a rate of 5 bitcoins or an amount totaling to 2,200 USD. For a cybercriminal with malicious intent, that is the price to pay to take over troves of sensitive information that could be used in other attacks. For a company, damages for breaches this big could translate to millions of losses.
Recently, the Ponemon Institute and IBM Security released its annual Cost of Data a Breach study and found an uptick in its findings of the average cost of a data breach from last year’s 3.79 million USD to 4 million USD—which illustrates a 30% increase since 2013.
The study was conducted in a 10-month period where Ponemon Institute researchers interviewed IT, compliance and information security practitioners from 383 organizations in 12 countries, including United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the Arabian region, Canada and even, South Africa.
In a statement, Larry Ponemon, founder and chairman of the Ponemon Institute shared, “Data breaches are now a consistent 'cost of doing business' in the cybercrime era,” he added, “The evidence shows that this is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies.”
Looking into the figures of this year, the study has unearthed data that shows security incidents reported between 2014 and 2015 depicted a dramatic 64% increase. On average, companies lose 158 USD per record—a noticeable jump from last year’s 154 USD. In the cases of industries like healthcare, on the other hand, damages cost incredibly higher—reaching a massive 355 USD rate per record. The cost mentioned in the study already involves incident forensics, communications, legal expenditures, and regulatory mandates.
In 2015, one of the most controversial and widely-reported breaches involve the self-proclaimed “cheating network”, Ashley Madison. The site, run by Avid Life Media (AVL), provided a platform for married individuals to find an affair. This very concept has attracted a generous number of registered members that reach almost 40 million active accounts, supposedly promised of anonymity.
Interestingly, when hacking group named “The Impact Team” took hold of the site’s troves of sensitive information, it was clearly driven by different motivations. As such, the threat went on saying, “Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
A month after the threat was made, the cybercriminals behind the hack made good with their warning and dumped a good 10 gigabytes-worth of files on the deep web, left accessible to anyone running the Tor browser. The files reportedly contained account details and log-in credentials, names, street address, and email addresses of around 32 million users, apart from seven year-old credit card and payment transactions.
In a report by the New York Times, the perpetrators behind the massive breach pointed fingers at the site administrators violating user rights regarding the deletion of accounts. A 19 USD fee was reported to be charged from customers to delete their accounts from the site database. However, the payment of this said fee does not completely erase information of the paid customer, a breach of contract noted by Randy V. Sabett, special counsel from Washington.
By the end of August 2015, at least four lawsuits have reportedly been filed against AVL following the exposure of sensitive information residing in the Ashley Madison database. In Canada, a widower, who joined the site following the death of his wife, sued the company for 578 million USD. Two law firms then filed a class-action suit against AVL on his behalf. At the time, Ponemon, and researchers of his firm, noted that an average cost of a data breach is 23 USD- 25 USD per record, inclusive of lawsuit costs. That said, the cost of the AM breach could cost AVL as high as 850 million USD in damages.
In a statement, Ponemon noted, “The reputation effect alone is going to kill the company. Their whole model is based on secrecy and the privacy of the individuals participating in this service. The reputational damage will be very difficult to overcome.” In effect, Noel Biderman, AVL former chief executive, was propelled to step down of office not just for the exposure of customer data, but also for uncovered intelligence suggesting questionable and reputation-damaging business practices.
Much more recently, in May 2016, payroll processing giant, ADP, was involved in a breach that potentially exposed tax information of employees of its clients to tax fraud and identity theft. Reports of fraudulent transactions made through its ADP self-service portal alerted the 60-year-old company to an unauthorized access to its client database. ADP, whose vast clientele reaches over 640,000 companies globally, was significantly impacted by the reported breach bringing down the company shares to about 0.7%, while its client and confirmed affected party went down 1.3%. This represents a significant loss of confidence on the security of client data on the company.
Building a defensive wall
While the numbers have considerably grown from where it was in the past year, researchers behind the Cost of a Data Breach study highlight the importance of building a steadfast response team that could easily detect and mitigate damages brought by unauthorized access to a company’s crown jewels.
According to the report, breaches uncovered in less than 100 days cost ac company an average of 3.23 million USD. On the other hand, those that exceed 100 days cost higher at 4.38 million USD. An average of 400,000 USD could then be reduced from the cost of a data breach with a speedy and agile response team intact. On average, the average amount of time it takes to determine a breach is 201 days, while an average time to contain it reaches 70 days.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale